Azure WAF

Azure Web Application Firewall (WAF) provides centralized protection of your web applications and APIs from common exploits and vulnerabilities. Web applications increasingly encounter malicious attacks that exploit commonly known vulnerabilities. SQL injection and cross-site scripting are among the most common attacks. For more details refer to Microsoft’s official documentation.

Integration Method: API

Tables: HTTP Activity (4002), Web Resources Activity (6001)

This integration supports the following events.

This integration supports the following versions.

Note:

Azure WAF is a continuously updated cloud service. As for this document preparation, the latest release was in May 2024.

Prerequisites

• The user should have access to the Azure portal with an account that has the Global Administrator privileges.  

• The user should have access to the DataBee console.

Configuration Overview 

1. Create an application with required permissions to fetch the data.

2. Create Azure WAF Data Feed in the DataBee console with the required Client credentials. 

   DataBee Parameter	Azure Parameter
   Client Key	Application (client ID)
   Client Secret	Client secret Value
   Token URL(<tenant_id>)	Directory (Tenant) ID
   Workspace ID (workspaceId)	Workspace ID

Azure Configuration 

Create an application 

1. Log on to Azure portal with an account that has the Global Administrator privileges.

   In the search bar, search for App Registrations and select it. 

   
   

2. On the “Register an application” window:

   1. Under ‘Name’, enter your Application Name then click on Register to create the application.

   

3. On the app Overview page, copy the Application (client) ID and Directory (tenant) ID for later use.

   

4. Login on to Azure portal with an account that has the Global Administrator privilege. In the search bar check for Log Analytics Workspaces and select it.

   

5. Search for the Workspace and select it.
    

6. On the Overview page, copy the Workspace ID for later use.

   

Add Endpoint Access   

Once the application is created, three permissions should be provided to fetch data. The appropriate permissions for the application are needed to access these endpoints. The following section details how to configure and add permissions to the required endpoints.   

Add Permissions

From the Azure Active Directory portal:   

1. Select the application registered in the previous step. 

   
   

2. Under Manage, Select API Permissions > Add a Permission, the “Request API permissions” window will appear. On the APIs my organization uses tab, search for Log Analytics and select Log Analytics API from the list.

   

3. On the Log Analytics API overview, Select Delegated permissions and Select the Data.Read checkbox and Select Add permissions.

   

4. The following permissions need to be granted for the endpoint to function properly:

   Event	Type	Permission Name
   Firewall	Delegated	Data.Read
   Access	Delegated	Data.Read

   

5. Now that your app is registered and has permissions to use the API, grant your app access to your Log Analytics workspace.

   From your Log Analytics workspace overview page, select Access control (IAM) > Add role assignment.

   

6. Under Role select the Reader and select member to be added.

   

7. On the Members tab, choose Select members, Enter the name of your app in the Select box, select your app and choose Select.

   

8. Select Review + assign.

   

Create the Client Secret 

The final step in accessing the APIs is creating a Client Secret. To create it from the Azure Portal:   

1. Select the application created above. 

2. Under Manage, Click Certificates & Secrets, and then Client Secrets.  
    

3. Click New client secret. Then “Add a client secret” window appears.  
    

4. On “Add a client secret” window: 

   1. Enter a ‘Description’ for this client secret and select the desired expiry period from the ‘Expires’ drop-list. 

   2. Then click on Add to create the client secret. 
       

      Note:

      The user needs to re-create the client secret when it expires.

5. Copy the ‘Value’ fields for later use.

   

   This completes the setup for Azure Activity API integration.

DataBee Configuration

1. Login to the DataBee UI, navigate to Data > Data Feeds and click the Add New Data Feed button.
    

2. Search for the Azure / Azure WAF and click it as shown below.

   
   

3. Click on the API Ingest option for collection method.
    

4. Enter feed contact information and click Next.
    

5. In the configuration page, confirm the following:

   • Authorization Method: OAuth2

   • Client Key: Paste the Application (Client) ID generated previously.

   • Client Secret: Paste the Client Secret generated previously.

   • Token URL: Replace <tenant_id> placeholder with your Directory (Tenant) ID.

   • Workspace ID: Paste the Workspace ID noted earlier.

   • Event Types: Preselected for all the event types that integration pulls.

   

6. Click Submit.

Troubleshooting Tips 

• If you are facing an invalid client or unauthorized client error this might be possibly due to incorrect credentials. Ensure the client key, client secret and Tenant ID are pasted correctly. Since you cannot view the client secret after the 1^st time, re-create it, paste it on a text editor to ensure no spaces or unexpected characters are included and reconfigure the DataBee feed. 

• If you are facing response code - 403 this might be possibly due to missing permissions. Ensure that all the required permissions are granted correctly as per the above-mentioned steps.